chore(deps): update terraform cloudposse/s3-bucket/aws to v4 (main) - abandoned

[renovate[bot]]

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/s3-bucket/aws (source)	module	major	2.0.0 -> 4.0.0

---

Release Notes

cloudposse/terraform-aws-s3-bucket (cloudposse/s3-bucket/aws)

### [`v4.0.0`](https://togithub.com/cloudposse/terraform-aws-s3-bucket/releases/tag/4.0.0) [Compare Source](https://togithub.com/cloudposse/terraform-aws-s3-bucket/compare/3.1.3...4.0.0)

Bug fixes and enhancements combined into a single breaking release @​aknysh (#​202)

#### Breaking Changes Terraform version 1.3.0 or later is now required. ##### `policy` input removed The deprecated `policy` input has been removed. Use `source_policy_documents` instead. Convert from ```hcl policy = data.aws_iam_policy_document.log_delivery.json ``` to ```hcl source_policy_documents = [data.aws_iam_policy_document.log_delivery.json] ``` Do not use list modifiers like `sort`, `compact`, or `distinct` on the list, or it will trigger an `Error: Invalid count argument`. The length of the list must be known at plan time. ##### Logging configuration converted to list To fix [#​182](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/182), the `logging` input has been converted to a list. If you have a logging configuration, simply surround it with brackets. ##### Replication rules brought into alignment with Terraform resource Previously, the `s3_replication_rules` input had some deviations from the [aws_s3\_bucket_replication_configuration](https://registry.terraform.io/providers/-/aws/5.14.0/docs/resources/s3\_bucket_replication_configuration) Terraform resource. Via the use of optional attributes, the input now closely matches the resource while providing backward compatibility, with a few exceptions. - Replication `source_selection_criteria.sse_kms_encrypted_objects` was documented as an object with one member, `enabled`, of type `bool`. However, it only worked when set to the `string` "Enabled". It has been replaced with the resource's choice of `status` of type String. - Previously, Replication Time Control could not be set directly. It was implicitly enabled by enabling Replication Metrics. We preserve that behavior even though we now add a configuration block for `replication_time`. To enable Metrics without Replication Time Control, you must set `replication_time.status = "Disabled"`. These are not changes, just continued deviations from the resources: - `existing_object_replication` cannot be set. - `token` to allow replication to be enabled on an Object Lock-enabled bucket cannot be set. #### what - Remove local `local.source_policy_documents` and deprecated variable `policy` (because of that, pump the module to a major version) - Convert `lifecycle_configuration_rules` and `s3_replication_rules` from loosely typed objects to fully typed objects with optional attributes. - Use local `bucket_id` variable - Remove comments suppressing Bridgecrew rules - Update tests to Golang 1.20 #### why - The number of policy documents needs to be known at plan time. Default value of `policy` was empty, meaning it had to be removed based on content, which would not be known at plan time if the `policy` input was being generated. - Closes [#​167](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/167), supersedes and closes [#​163](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/163), and generally makes these inputs easier to deal with, since they now have type checking and partial defaults, meaning the inputs can be much smaller. - Incorporates and closes [#​197](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/197). Thank you [@​nikpivkin](https://togithub.com/nikpivkin) - Suppressing Bridgecrew rules Cloud Posse does not like should be done via external configuration so that users of this module can have the option of having those rules enforced. - Security and bug fixes #### explanation Any list manipulation functions should not be used in `count` since it can lead to the error: ```console │ Error: Invalid count argument │ │ on ./modules/s3_bucket/main.tf line 462, in resource "aws_s3_bucket_policy" "default": │ 462: count = local.enabled && (var.allow_ssl_requests_only || var.allow_encrypted_uploads_only || length(var.s3_replication_source_roles) > 0 || length(var.privileged_principal_arns) > 0 || length(local.source_policy_documents) > 0) ? 1 : 0 │ │ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to │ first apply only the resources that the count depends on. ``` Using the local like this ```shell source_policy_documents = var.policy != "" && var.policy != null ? concat([var.policy], var.source_policy_documents) : var.source_policy_documents ``` would not work either if `var.policy` depends on apply-time resources from other TF modules. General rules: - When using `for_each`, the map keys have to be known at plan time (the map values are not required to be know at plan time) - When using `count`, the length of the list must be know at plan time, the items inside the list are not. That does not mean that the list must be static with the length known in advance, the list can be dynamic and come from a remote state or data sources which Terraform evaluates first during plan, it just can’t come from other resources (which are only known after apply) - When using `count`, no list manipulating functions can be used in `count` - it will lead to the `The "count" value depends on resource attributes that cannot be determined until apply` error in some cases

### [`v3.1.3`](https://togithub.com/cloudposse/terraform-aws-s3-bucket/releases/tag/3.1.3) [Compare Source](https://togithub.com/cloudposse/terraform-aws-s3-bucket/compare/3.1.2...3.1.3) Unfortunately, this change makes `count` unknown at plan time in certain situations. In general, you cannot use the output of `compact()` in `count`. The solution is to stop using the deprecated `policy` input and revert to 3.1.2 or upgrade to 4.0. #### 🚀 Enhancements

Fix `source_policy_documents` combined with `var.policy` being ignored @​johncblandii (#​201)

#### what - Changed `var.source_policy_documents` to `local.source_policy_documents` so `var.policy` usage was still supported #### why - The ternary check uses `var,source_policy_documents` so `var.policy` being combined with `var.source_policy_documents` into `local.source_policy_documents` does not provide `true` for the ternary to execute #### references - [https://github.com/cloudposse/terraform-aws-config-storage/pull/39](https://togithub.com/cloudposse/terraform-aws-config-storage/pull/39)

### [`v3.1.2`](https://togithub.com/cloudposse/terraform-aws-s3-bucket/releases/tag/3.1.2): Fix Public Bucket Creation [Compare Source](https://togithub.com/cloudposse/terraform-aws-s3-bucket/compare/3.1.1...3.1.2) #### What's Changed - Remove reference to TF_DATA_DIR retained by mistake in [#​40](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/40) by [@​Nuru](https://togithub.com/Nuru) in [https://github.com/cloudposse/terraform-aws-s3-bucket/pull/181](https://togithub.com/cloudposse/terraform-aws-s3-bucket/pull/181) - Sync .github by [@​max-lobur](https://togithub.com/max-lobur) in [https://github.com/cloudposse/terraform-aws-s3-bucket/pull/183](https://togithub.com/cloudposse/terraform-aws-s3-bucket/pull/183) - Fix linters / Retest on AWS provider V5 by [@​max-lobur](https://togithub.com/max-lobur) in [https://github.com/cloudposse/terraform-aws-s3-bucket/pull/188](https://togithub.com/cloudposse/terraform-aws-s3-bucket/pull/188) - Fix Public Bucket Creation by [@​rankin-tr](https://togithub.com/rankin-tr) in [https://github.com/cloudposse/terraform-aws-s3-bucket/pull/194](https://togithub.com/cloudposse/terraform-aws-s3-bucket/pull/194) #### New Contributors - [@​rankin-tr](https://togithub.com/rankin-tr) made their first contribution in [https://github.com/cloudposse/terraform-aws-s3-bucket/pull/194](https://togithub.com/cloudposse/terraform-aws-s3-bucket/pull/194) **Full Changelog**: https://github.com/cloudposse/terraform-aws-s3-bucket/compare/3.1.1...3.1.2 ### [`v3.1.1`](https://togithub.com/cloudposse/terraform-aws-s3-bucket/releases/tag/3.1.1) [Compare Source](https://togithub.com/cloudposse/terraform-aws-s3-bucket/compare/3.1.0...3.1.1) #### 🐛 Bug Fixes

Revert change to Transfer Acceleration from #​178 @​Nuru (#​180)

#### what - Revert change to Transfer Acceleration from [#​178](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/178) #### why - Transfer Acceleration is not available in every region, and the change in [#​178](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/178) (meant to detect and correct drift) does not work (throws API errors) in regions where Transfer Acceleration is not supported

### [`v3.1.0`](https://togithub.com/cloudposse/terraform-aws-s3-bucket/releases/tag/3.1.0): Support new AWS S3 defaults (ACL prohibited) [Compare Source](https://togithub.com/cloudposse/terraform-aws-s3-bucket/compare/3.0.0...3.1.0) Note: this version introduced drift detection and correction for Transfer Acceleration. Unfortunately, that change prevents deployment of buckets in regions that do not support Transfer Acceleration. Version 3.1.1 reverts that change so that S3 buckets can be deployed by this module in all regions. It does, however, mean that when `var.transfer_acceleration_enabled` is `false`, Terraform does not track or revert changes to Transfer Acceleration made outside of this module.

Make compatible with new S3 defaults. Add user permissions boundary. @​Nuru (#​178)

#### what - Make compatible with new S3 defaults by setting S3 Object Ownership before setting ACL and disabling ACL if Ownership is "BucketOwnerEnforced" - Add optional permissions boundary input for IAM user created by this module - Create `aws_s3_bucket_accelerate_configuration` and `aws_s3_bucket_versioning` resources even when the feature is disabled, to enable drift detection #### why - S3 buckets with ACLs were failing to be provisioned because the ACL was set before the bucket ownership was changed - Requested feature - See [#​171](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/171) #### references - Closes [#​174](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/174) - Supersedes and closes [#​175](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/175) - Supersedes and closes [#​176](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/176)

Always include `aws_s3_bucket_versioning` resource @​mviamari (#​172)

#### what * Always create an `aws_s3_bucket_versioning` resource to track changes made to bucket versioning configuration #### why * When there is no `aws_s3_bucket_versioning`, the expectation is that the bucket versioning is disabled/suspend for the bucket. If bucket versioning is turned on outside of terraform (e.g. through the console), the change is not detected by terraform unless the `aws_s3_bucket_versioning` resource exists. #### references * Closes #​171

Add support for permission boundaries on replication IAM role @​mchristopher (#​170)

#### what * Adds support for assigning [permission boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) to the replication IAM role #### why * Our AWS environment enforces permission boundaries on all IAM roles to follow AWS best practices with security. #### references * [AWS IAM Access Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)

#### 🤖 Automatic Updates

Update README.md and docs @​cloudpossebot (#​164)

#### what This is an auto-generated PR that updates the README.md and docs #### why To have most recent changes of README.md and doc from origin templates

### [`v3.0.0`](https://togithub.com/cloudposse/terraform-aws-s3-bucket/releases/tag/3.0.0): Static Website Support, remove awsutils provider [Compare Source](https://togithub.com/cloudposse/terraform-aws-s3-bucket/compare/2.0.3...3.0.0) ### Breaking changes This release has what can be considered breaking changes, but mostly because it either reverts breaking changes introduced in v2.0.2 or fixes features that were previously broken and unusable. - If an IAM user and access key is created by this module, the AWS Access Key does not expire, restoring the behavior in and prior to v2.0.1. In v2.0.2 and v2.0.3, keys expired in 30 days. If you are upgrading from v2.0.1 or earlier, this is not a breaking change. - The `website_inputs` input is replaced by `website_configuration` and `website_redirect_all_requests_to`. The `cors_rule_inputs` input is replaced by `cors_configuration`. Thanks to [@​jurgen-weber-deltatre](https://togithub.com/jurgen-weber-deltatre) for helping with this. If you were not using these inputs, then this is not a breaking change. ##### If neither of the above issues affects you, then there are no breaking changes between v2.0.0 and this release and you can safely upgrade without making any changes to your code. ### New Features - The breaking change introduced in v2.0.2 that required you to initialize the `cloudposse/awsutils` Terraform provider with the AWS region and been reverted. This module no longer uses that provider. - Support for S3 static websites is greatly improved. Configure with `website_configuration` and `cors_configuration`, or with `website_redirect_all_requests_to`. The website endpoint and base domain are now available as outputs. - You can now store the IAM user's access key in SSM via `store_access_key_in_ssm`. When stored in SSM, the secret key is not output by this module as a Terraform output, preventing it from being stored unencrypted in the Terraform state file. - You can now create a user but not create an access key by setting `access_key_enabled = false`. You can also use this feature to rotate an access key by setting it to `false` and applying to delete the key, then setting it to `true` and applying to create a new one. Note that in general we now recommend against creating an IAM user, and recommend using [AWS OIDC](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) to create an authentication path for users and systems that do not have native IAM credentials. Also note that you can assign permissions to existing AWS users and roles via `grants` or `privileged_principal_arns`. #### what && why - Update `terraform-aws-s3-user` to v1.0.0 and add inputs `access_key_enabled`, `store_access_key_in_ssm`, and `ssm_base_path` in order to - Make creating an IAM key for the S3 user optional - Enable saving the IAM key in SSM Parmeter store and omitting it from Terraform state - Remove dependency on `cloudposse/awsutils` Terraform provider. See `terraform-aws-iam-system-user` [v1.0.0 Release Notes](https://togithub.com/cloudposse/terraform-aws-iam-system-user/releases/tag/1.0.0) for further details and justification. - Replace input `website_inputs` (which never worked) with `website_configuration` and `website_redirect_all_requests_to`. See [#​142](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/142) for further details and justification. - Replace input `cors_rule_inputs` with `cors_configuration` to match resource name. #### references - Implements and closes [#​3](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/3) - Fixes [#​141](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/141) - Supersedes and closes [#​142](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/142) - Obsoletes and closes [#​151](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/151) - Supersedes and closes [#​154](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/154) - Obsoletes and closes [#​155](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/155) - Supersedes and closes [#​157](https://togithub.com/cloudposse/terraform-aws-s3-bucket/issues/157) ### [`v2.0.3`](https://togithub.com/cloudposse/terraform-aws-s3-bucket/releases/tag/2.0.3) [Compare Source](https://togithub.com/cloudposse/terraform-aws-s3-bucket/compare/2.0.2...2.0.3) ### Deprecated The changes introduce in v2.0.2 were problematic and have been removed in v3.0.0. It is not recommended to use this version or version 2.0.2. #### 🤖 Automatic Updates

Update Terraform cloudposse/iam-s3-user/aws to v0.15.10 @​renovate (#​153)

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [cloudposse/iam-s3-user/aws](https://registry.terraform.io/modules/cloudposse/iam-s3-user/aws) ([source](https://togithub.com/cloudposse/terraform-aws-iam-s3-user)) | module | patch | `0.15.9` -> `0.15.10` | ***

### [`v2.0.2`](https://togithub.com/cloudposse/terraform-aws-s3-bucket/releases/tag/2.0.2): minor breaking change (awsutils provider config) [Compare Source](https://togithub.com/cloudposse/terraform-aws-s3-bucket/compare/2.0.1...2.0.2) ### Deprecated The changes introduce in this release were problematic and have been removed in v3.0.0. It is not recommended to use this version or version 2.0.3. #### 🤖 Automatic Updates NOTE: This release requires the `cloudposse/awsutils` Terraform provider to be defined with a region. This can and should be the same region you have configured in your `aws` provider. The reason for this new provider is due to new functionality with a dependent [module](ttps://registry.terraform.io/modules/cloudposse/iam-s3-user/aws) (which uses this [module](https://togithub.com/cloudposse/terraform-aws-iam-system-user/blob/master/versions.tf) which requires `cloudposse/awsutils`) in this repo. (The new feature allows configuring S3 user AWS access keys to expire.) ```hcl provider "awsutils" { region = var.region } ```

Update Terraform cloudposse/iam-s3-user/aws to v0.15.9 @​renovate (#​119)

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [cloudposse/iam-s3-user/aws](https://registry.terraform.io/modules/cloudposse/iam-s3-user/aws) ([source](https://togithub.com/cloudposse/terraform-aws-iam-s3-user)) | module | patch | `0.15.7` -> `0.15.9` | ***

### [`v2.0.1`](https://togithub.com/cloudposse/terraform-aws-s3-bucket/releases/tag/2.0.1) [Compare Source](https://togithub.com/cloudposse/terraform-aws-s3-bucket/compare/2.0.0...2.0.1)

git.io->cloudposse.tools update @​dylanbannon (#​149)

#### what and why Change all references to `git.io/build-harness` into `cloudposse.tools/build-harness`, since `git.io` redirects will stop working on April 29th, 2022. #### References - DEV-143

#### 🚀 Enhancements

Use object lock enabled @​nitrocode (#​148)

#### what * Use object lock enabled #### why * Deprecation of dynamic `object_lock_configuration` for `object_lock_enabled` ```hcl │ Warning: Argument is deprecated │ │ with module.bucket.aws_s3_bucket.default, │ on .terraform/modules/bucket/main.tf line 30, in resource "aws_s3_bucket" "default": │ 30: resource "aws_s3_bucket" "default" { │ │ Use the top-level parameter object_lock_enabled and the aws_s3_bucket_object_lock_configuration resource instead ``` #### references - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3\_bucket#object_lock_enabled - Previous PR [https://github.com/cloudposse/terraform-aws-s3-bucket/pull/144](https://togithub.com/cloudposse/terraform-aws-s3-bucket/pull/144) (this did not use `object_lock_enabled` and only removed the dynamic)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[griff92]

Could this be reviewed please as this issue is causing us some problems in our pipelines

[Gowiem]

/terratest

[Gowiem]

@griff92 does using this branch from renovate work to fix your issue?

[Gowiem]

@griff92 we can't merge this PR without tests passing and we're having an issue with the tests due to an old version of our VPC module being used in the examples/complete test case. See the below screenshot. Would you be interested in working on this, fixing those tests, and we'll work on getting this merged?

[griff92]

Thanks for getting onto this so quick.

Yeah, I wouldn’t mind contributing. Leave it with me and I’ll look at it when I can.

Thanks.

[renovate[bot]]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[Gowiem]

Good stuff @griff92 -- thanks for taking it on. Check out this PR which is going through the same issue with regard to the VPC causing our tests to fail. The fixes from that contributor's PRs should help with providing a roadmap of what you need to do.

https://github.com/cloudposse/terraform-aws-rds/pull/157#pullrequestreview-1706452738

[JacobyDehunter]

@Gowiem I've made the changes to the modules used in examples/complete at the request of @griff92. My PR is here: https://github.com/cloudposse/terraform-aws-ssm-patch-manager/pull/31 Could these changes be merged in so we can test again? Thanks

[renovate[bot]]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

[max-lobur]

Tests fixed in main, rebasing this now

[max-lobur]

/terratest